b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                     The Information Technology Enterprise\n                      Governance Structure Needs Further\n                       Process Improvements to Ensure\n                              Adequate Oversight\n\n\n\n                                           July 31, 2008\n\n                              Reference Number: 2008-20-134\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            July 31, 2008\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Information Technology Enterprise\n                             Governance Structure Needs Further Process Improvements to Ensure\n                             Adequate Oversight (Audit # 200720033)\n\n This report presents the results of our review of the tiered-program management structure\n implemented by the Internal Revenue Service (IRS) for reporting and reviewing status and\n results on its information technology (IT) projects. The overall objective of this review was to\n determine whether the IRS has established and is following adequate internal controls to manage\n all IT investment projects within the new enterprise governance model in support of the IRS\n mission and goals. Due to the critical nature of this area, the Chief Information Officer asked the\n Treasury Inspector General for Tax Administration to perform this audit, which was included as\n part of the Fiscal Year 2007 Information Systems Programs business unit\xe2\x80\x99s Annual Audit Plan\n coverage of IRS modernization efforts.\n\n Impact on the Taxpayer\n The IRS estimated that it would spend $1.4 billion on IT products and services in Fiscal\n Year 2007. While the IRS has made progress in implementing its IT enterprise governance\n structure, additional actions are needed to address current weaknesses in providing effective\n oversight and management of all IT projects. This will help to ensure that the IRS uses funds\n efficiently and effectively to provide oversight and control of all IT projects.\n\x0c                   The Information Technology Enterprise Governance Structure\n                              Needs Further Process Improvements\n                                  to Ensure Adequate Oversight\n\n\n\nSynopsis\nTo better manage IT investments, the Chief Information Officer outlined a business commitment\nof implementing an IRS enterprise-wide IT tiered-program management structure.1 This\ncommitment requires that all IT investment projects follow a tiered-program management\nstructure for reporting and reviewing project status and results. To implement the new\ntiered-program management structure, the IRS designed an enterprise governance model that\nassigns all IT projects to an appropriate executive oversight body. This program management\nconcept makes a significant change to IRS procedures by empowering executive oversight\nbodies with the authority to make project cost, schedule, and scope decisions.\nIn Fiscal Year 2006, the IRS expanded the roles and responsibilities of the Program Control and\nProcess Management Division2 to incorporate and establish direction for the new enterprise\ngovernance model. Since then, the Division has made significant progress in directing,\ndeveloping, and implementing tiered-program management activities. For example, it has\ndeveloped and distributed standardized reporting templates with documented processes and\nprocedures for the executive steering committees. In addition, the IRS has created a master list\nof IT projects to track and assign oversight. Each IRS organization has formed or is planning to\nform its own individual Program Management Office to execute the new tiered-program\nmanagement processes and procedures while providing oversight and management to assigned\nIT projects.\nThe IRS has been successful at improving program management and oversight activity\nawareness and communication throughout the organization. This is evident with the\nparticipation from IRS organizations in the newly formed Governance Working Group that\nprovides a forum to share and network in the design, development, and formation of the\ntiered-program management structure, processes, and procedures. The Group meets biweekly\nand performs an important function by reviewing new tiered-program management concepts\nbefore they are submitted to senior IRS executives for approval and implementation.\nWhile the IRS has made progress in implementing its tiered-program management structure,\nadditional actions are needed to address current weaknesses in providing effective oversight and\nmanagement of all IT projects. The IRS has not fully:\n    \xe2\x80\xa2   Documented policies and procedures for developing a complete portfolio of IT projects.\n    \xe2\x80\xa2   Completed the setup of Program Management Offices for all IRS organizations.\n\n\n1\n See Appendix IV for a glossary of terms.\n2\n The Program Control and Process Management Division in the Modernization and Information Technology\nServices organization includes the Program Governance Office and the Program Control Office. Separately, these\ntwo offices guide IT tiered-program management governance and control activities.\n                                                                                                                 2\n\x0c                 The Information Technology Enterprise Governance Structure\n                            Needs Further Process Improvements\n                                to Ensure Adequate Oversight\n\n\n\n   \xe2\x80\xa2   Implemented the health assessment process.\n   \xe2\x80\xa2   Provided consistent and continual monitoring and oversight of major IT projects through\n       the executive steering committees.\nCompleting actions to address the above conditions will help ensure that the enterprise\ntiered-program management structure provides effective oversight and control of all IT projects.\n\nRecommendations\nWe recommended that the Chief Information Officer 1) work with other IRS executives to\ndevelop a complete and accurate master IT project list with a standard set of IT terms that have\nbeen approved and communicated to all IRS organizations, 2) ensure that the proposed\ngovernance directive is approved and communicated through all levels of the IRS, 3) establish\nformal policies and procedures to ensure that the health assessment process is consistently\napplied and followed across all IRS organizations, and 4) ensure that policies and procedures are\ndeveloped or revised to require control organizations to review all assigned major IT projects\nmonthly and present projects to the appropriate governance board\xe2\x80\x99s attention when established\nthresholds are exceeded.\n\nResponse\nIRS officials agreed with all of our recommendations. The IRS plans to 1) build on work already\ncompleted, incorporate projects and operational applications into the IRS portfolio, and develop,\napprove, and communicate formal policies and procedures to continually update the portfolio\nand a standard set of IT terms 2) obtain approval of the governance directive and communicate\nguidance to foster enterprise-wide adherence to the governance process, 3) conduct an\nenterprise-wide campaign of education and sustained support for the control organizations to\nensure consistency of the health assessment process, and 4) ensure that all assigned major IT\nprojects are reviewed monthly and are presented to the appropriate governance board\xe2\x80\x99s attention\nwhen established thresholds are exceeded. Management\xe2\x80\x99s complete response to the draft report\nis included as Appendix VII.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                   3\n\x0c                       The Information Technology Enterprise Governance Structure\n                                  Needs Further Process Improvements\n                                      to Ensure Adequate Oversight\n\n\n\n\n                                               Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Progress Has Been Made to Implement Tiered-Program Management\n          Activities\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6Page 3\n          A Complete Tiered-Program Management Structure Has Not Been\n          Fully Implemented to Ensure Effective Oversight and Control of All\n          Information Technology Projects .................................................................Page 3\n                    Recommendations 1 through 3: .................................................. Page 8\n\n                    Recommendation 4: .................................................................... Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 13\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 14\n          Appendix IV \xe2\x80\x93 Glossary of Terms................................................................Page 15\n          Appendix V \xe2\x80\x93 Enterprise Governance Model...............................................Page 19\n          Appendix VI \xe2\x80\x93 Progress in Governance and Control Processes...................Page 21\n          Appendix VII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report.....................Page 23\n\x0c      The Information Technology Enterprise Governance Structure\n                 Needs Further Process Improvements\n                     to Ensure Adequate Oversight\n\n\n\n\n                    Abbreviations\n\nIRS           Internal Revenue Service\nIT            Information Technology\n\x0c                      The Information Technology Enterprise Governance Structure\n                                 Needs Further Process Improvements\n                                     to Ensure Adequate Oversight\n\n\n\n\n                                               Background\n\nThe Internal Revenue Service (IRS) estimated that it would spend $1.4 billion on information\ntechnology (IT) products and services in Fiscal Year 2007. To better manage the IT investments,\nthe Chief Information Officer outlined a business commitment to implement an IRS\nenterprise-wide IT tiered-program management\nstructure.1 This commitment requires that all IT\ninvestment projects follow a tiered-program                  All IT investment projects must\n                                                                  follow a tiered-program\nmanagement structure for reporting and reviewing                management structure for\nproject status and results. This structure assigns projects  reporting and reviewing project\nto executive-level committees for oversight based on the             status and results.\ncost of the project and other factors as determined by the\nIRS and to Program Management Offices for more\ndirect control and performance assessments.\nTo implement the new tiered-program management structure, the IRS designed an enterprise\ngovernance model that assigns all IT projects to an appropriate executive oversight body. The\nenterprise governance model is presented in Appendix V. This program management concept\nmakes a significant change to IRS procedures by empowering executive oversight bodies with\nthe authority to make project cost, schedule, and scope decisions. Another major change\nincludes expanding the number of oversight committees and redefining the reporting structure to\ninclude executive steering committees and organization-level and management-level boards\nthroughout the IRS.\nAs part of the tiered-program management structure, the IRS is implementing a control process\nrequiring monthly assessments of all IT projects. These assessments (referred to as \xe2\x80\x9chealth\nassessments\xe2\x80\x9d) are the primary tools used by the IRS to monitor key performance information on\nIT projects such as cost, schedule, and scope. The IRS plans to implement the health assessment\nprocess throughout all of its organizations.\nThis review was performed at the Modernization and Information Technology Services\norganization facilities in New Carrollton, Maryland, during the period June through\nDecember 2007. During the audit, the IRS was executing new processes and making progress in\nimplementing the tiered-program management structure. We communicated the interim results\nof our review and suggestions for improvement to Modernization and Information Technology\nServices organization officials on December 10, 2007. Additional changes and progress might\nhave occurred since the conclusion of our analyses.\n\n\n1\n    See Appendix IV for a glossary of terms.\n                                                                                         Page 1\n\x0c                 The Information Technology Enterprise Governance Structure\n                            Needs Further Process Improvements\n                                to Ensure Adequate Oversight\n\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n                                                                                          Page 2\n\x0c                   The Information Technology Enterprise Governance Structure\n                              Needs Further Process Improvements\n                                  to Ensure Adequate Oversight\n\n\n\n\n                                     Results of Review\n\nProgress Has Been Made to Implement Tiered-Program Management\nActivities\nIn Fiscal Year 2006, the IRS expanded the roles and                 The Program Control and\nresponsibilities of the Program Control and Process              Process Management Division\nManagement Division2 to incorporate and establish direction      has made significant progress\nfor the new enterprise governance model. Since then, the            directing, developing, and\n                                                                  implementing tiered-program\nDivision has made significant progress in directing,                 management activities.\ndeveloping, and implementing tiered-program management\nactivities. For example, it has developed and distributed\nstandardized reporting templates with documented processes and procedures for the executive\nsteering committees. In addition, the IRS has created a master list of IT projects to track and\nassign oversight. Each IRS organization has formed or is planning to form its own individual\nProgram Management Office to execute the new tiered-program management processes and\nprocedures while providing oversight and management to assigned IT projects.\nThe IRS has been successful at improving program management and oversight activity\nawareness and communication throughout the organization. This is evident with the\nparticipation from IRS organizations in the newly formed Governance Working Group that\nprovides a forum to share and network in the design, development, and formation of the\ntiered-program management structure, processes, and procedures. The Group meets biweekly\nand performs an important function by reviewing new tiered-program management concepts\nbefore they are submitted to senior IRS executives for approval and implementation.\n\nA Complete Tiered-Program Management Structure Has Not Been\nFully Implemented to Ensure Effective Oversight and Control of All\nInformation Technology Projects\nWhile the IRS has made progress in implementing its tiered-program management structure,\nadditional actions are needed to address current weaknesses in providing effective oversight and\nmanagement of all IT projects. The IRS has not fully:\n    \xe2\x80\xa2   Documented policies and procedures for developing a complete portfolio of IT projects.\n\n2\n The Program Control and Process Management Division in the Modernization and Information Technology\nServices organization includes the Program Governance Office and the Program Control Office. Separately, these\ntwo offices guide IT tiered-program management governance and control activities.\n                                                                                                        Page 3\n\x0c                   The Information Technology Enterprise Governance Structure\n                              Needs Further Process Improvements\n                                  to Ensure Adequate Oversight\n\n\n    \xe2\x80\xa2   Completed the setup of Program Management Offices for all IRS organizations.\n    \xe2\x80\xa2   Implemented the health assessment process.\n    \xe2\x80\xa2   Provided consistent and continual monitoring and oversight of major IT projects through\n        the executive steering committees.\nCompleting actions to address the above conditions will help ensure that the enterprise\ntiered-program management structure provides effective oversight and control of all IT projects.\n\nThe IRS has not documented policies and procedures for developing a complete\nportfolio of IT projects\nAccording to the Government Accountability Office Information Technology Investment\nManagement: A Framework for Assessing and Improving Process Maturity,3 an organization\nshould have documented policies and procedures for identifying and collecting information\nabout its IT projects and systems. Specifically, the responsibility for submitting, updating, and\nmaintaining relevant inventory information about each project should be explicitly assigned. In\naddition, the policies and procedures should provide common definitions for IT investment\nportfolio categories that are generally understandable by all stakeholders.\nThe IRS created a master list of IT projects based on seven available sources4 that identify\nproject activity. Our reconciliation of the IT projects from these sources to the master IT list was\nnot conclusive because naming conventions were not consistent for all projects, and source\nnames did not always match the names included on the master IT list. For example, the New\nPortal Environment Project is the project name on the master IT list, while the Federal\nInformation Security Management Act list identifies the project as \xe2\x80\x9cISS (Infrastructure Shared\nServices), Web Hosting, -- Employee User portal (EUP), -- Registered User Portal (RUP), --\nCitrix, Core Services, -- Application Messaging and Data Access Services (AMDAS), --\nEnterprise Directory and Authentication Service (EDAS).\xe2\x80\x9d The difference in the project names\nand lists might be due to having several IRS functions maintain separate IT project lists for\nconsolidation to the master list.\nThe IRS has been working to resolve these issues. However, the current methodology to identify\nthe population of IT projects is extremely complex and is constantly changing. Policies and\nprocedures to ensure that all IT projects are captured in the portfolio have not been documented.\nThe IRS is further challenged with different interpretations of key IT terms used throughout the\norganization. These conditions make it difficult to identify the type, size, and importance of\n\n\n3\n GAO-04-394G, dated March 2004.\n4\n The seven sources we reviewed were the Federal Information Security Management Act [part of the\nE-Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301 (2002)]; the Applications Development\norganization; the Capital Planning and Investment Control; the Enterprise Transition Strategy; the As-Built\nArchitecture; and the ProSight system for the Department of Treasury and the IRS.\n                                                                                                        Page 4\n\x0c                 The Information Technology Enterprise Governance Structure\n                            Needs Further Process Improvements\n                                to Ensure Adequate Oversight\n\n\nprojects for tracking and reporting. Without a complete and accurate master list, the IRS does\nnot have adequate assurance that all required IT projects have been identified and placed under\nproper governance authority for appropriate oversight and review.\nManagement Action: Subsequent to our audit fieldwork, the IRS provided information about its\nefforts to assign unique identification codes to enable it to clearly identify, distinguish, and\ncontrol IT projects. The IRS is currently completing this assignment process. In addition, the\nIRS provided us with information about its ability to identify specific IT project releases in the\nmaster IT list.\n\nThe IRS has not completed the setup of Program Management Offices\nThe new enterprise governance model relies heavily on the formation of individual Program\nManagement Offices in each IRS organization. These Program Management Offices work with\nthe Program Control and Process Management Division to ensure that the new procedures and\ncontrol processes are appropriately executed.\nAs of December 2007, the formation of all required Program Management Offices was not\ncompleted. For example, Program Management Offices were not established for 3 of\n6 Associate Chief Information Officer organizations and 4 of 10 IRS functions. Appendix VI\nprovides additional details on the IRS\xe2\x80\x99 progress in implementing the Program Management\nOffices.\nAccording to IRS officials, all of the required Program Management Offices will be\nimplemented in the future. However, formal authority has not been established to require,\nreview, or ensure that the IRS organizations comply with this requirement or any of the policies\nand procedures developed by the Program Control and Process Management Division. Without\na consistent approach and required compliance with policies and procedures from the Program\nControl and Process Management Division, the enterprise governance processes might not be\nexecuted effectively to ensure that all required IT projects are provided with the appropriate\ngovernance, oversight, and review.\n\nThe IRS has not fully implemented the health assessment process\nEach individual IT project team is required to perform a\nself-assessment (termed a health assessment) of its IT project       Health assessments\nand report the status of seven key performance areas: cost,      provide critical information\nschedule, scope, risk, staffing, organizational change, and       for the entire governance\n                                                                    and control process.\ntechnical features. To communicate the purpose, process, and\nprocedures for performing health assessments, the Program\nControl and Process Management Division issued the Project Status Survey Assessor Guide on\nMay 14, 2007, and the Project Status Survey User Guide on May 24, 2007. Although these\nGuides were issued in May 2007, the Modernization and Information Technology Services\n\n\n                                                                                           Page 5\n\x0c                   The Information Technology Enterprise Governance Structure\n                              Needs Further Process Improvements\n                                  to Ensure Adequate Oversight\n\n\norganization Enterprise Governance board did not formally approve the guidance until\nNovember 19, 2007.\nIf a health assessment identifies significant issues in two or more of the seven key performance\nareas, IRS program management must conduct in-depth interviews with the IT project team to\nidentify causes and develop corrective actions. Health assessment results and any corrective\nactions should be documented and reported to appropriate IRS officials, including assigned\nexecutive oversight committees. The executive oversight committees use these results to make\ninformed decisions regarding the IT projects.\nThe IRS has not established formal policies and procedures to require compliance with the health\nassessment process. Our interviews with IRS officials determined that some IRS organizations\nwere not fully aware of the monthly health assessment processes and procedures. In addition,\nthe Applications Development organization has accepted responsibility for performing IT project\nhealth assessments for four other IRS organizations.5\nBased on interviews with IRS officials and reviews of a judgmental sample of health\nassessments, we determined that the health assessment process was not adequately implemented\nacross all IRS organizations. We identified the following concerns with the health assessment\nprocess:\n    \xe2\x80\xa2   Monthly health assessments were not conducted on all IT projects. During our\n        review of monthly health assessment summaries from May through August 2007, we\n        found that the Applications Development organization did not conduct health\n        assessments on 22 IT projects from 4 other IRS organizations. Further, control processes\n        were not established to conduct health assessments by two of the Associate Chief\n        Information Officer organizations. As a result, these 2 organizations did not conduct\n        health assessments on 39 assigned IT projects. Major projects without health\n        assessments included the Enterprise Disk Encryption Phase II, the Appeals Automated\n        Environment, and the Counsel Automated System Environment.\n    \xe2\x80\xa2   Corrective actions were not always developed for significant problems identified by\n        health assessments. Our sample review of health assessments included two projects\n        (the New Portal Implementation - major project, and the Tier 2 Encryption - non-major\n        project) in which the IRS identified significant problems in several key areas such as\n        cost, schedule, scope, and staffing. The responsible IRS program management did not\n        conduct the required in-depth reviews with the IT project teams to discuss the problems\n        and develop appropriate corrective actions.\n\n\n\n5\n The Applications Development organization performs IT project health assessments for the Criminal Investigation\nand Agency-Wide Shared Services Divisions; the Human Capital Office; and the Research, Analysis, and Statistics\nfunction.\n                                                                                                         Page 6\n\x0c                 The Information Technology Enterprise Governance Structure\n                            Needs Further Process Improvements\n                                to Ensure Adequate Oversight\n\n\n   \xe2\x80\xa2   Health assessments did not always measure and report the status of all key\n       performance indicators for IT projects. Several IRS organizations were using\n       different methods to conduct the health assessment processes. These organizations did\n       not measure and report on all seven IT project key performance indicators (see\n       Appendix VI for more information). Instead, the organizations reported on a subset of\n       the key performance indicators based on processes they used prior to the tiered-program\n       management initiative. Until the organizations begin reporting on all key performance\n       indicators, the IRS will have inconsistent oversight and reporting of IT project\n       development efforts.\nWithout consistent application of established health assessment procedures, continual and\neffective reporting and monitoring of IT project performance might not occur. Also, significant\nissues and proposed corrective actions might not be identified in a timely manner and brought to\nthe attention of appropriate IRS officials for oversight and decision-making purposes.\n\nThe executive steering committees do not provide consistent and continual\nmonitoring and oversight of all major IT projects\nThe executive steering committees are responsible for overseeing assigned major and non-major\nIT projects. During monthly meetings, the executive steering committees approve project\nproposals and milestone exits. They also review and make decisions based on risks and on cost\nand schedule variances. The 11 executive steering committees did not provide consistent and\ncontinual oversight of all assigned major IT projects. For example:\n   \xe2\x80\xa2   The Security Services and Privacy Executive Steering Committee did not discuss the\n       Homeland Security Presidential Directive-12 Project for 5 months.\n   \xe2\x80\xa2   The Infrastructure and the Criminal Investigation Executive Steering Committees were\n       not tracking the status of IT project corrective action items on a monthly basis.\nAccording to IRS officials, the executive steering committees do not review all assigned IT\nprojects monthly because they provide governance only on an \xe2\x80\x9cas needed\xe2\x80\x9d or \xe2\x80\x9cexception\xe2\x80\x9d basis.\nIn addition, executive steering committee charters do not detail specific duties and\nresponsibilities with documented processes and procedures for reviewing assigned major IT\nprojects.\nWithout providing adequate and consistent oversight for IT projects, the executive steering\ncommittees might not be aware of IT project health problems affecting major IRS initiatives.\nFor example, the Security Services and Privacy Executive Steering Committee is assigned to\noversee the Homeland Security Presidential Directive-12 Project. However, we found that the\nCommittee did not discuss or oversee the results of this Project for a 5-month period. As\n\n\n\n\n                                                                                          Page 7\n\x0c                   The Information Technology Enterprise Governance Structure\n                              Needs Further Process Improvements\n                                  to Ensure Adequate Oversight\n\n\nreported in a prior audit report,6 the Project experienced significant issues and problems resulting\nin the inefficient use of potentially $3.5 million. Another example is the Electronic Fraud\nDetection System Project,7 which did not have continual oversight and resulted in the inefficient\nuse of potentially $22.7 million.\nManagement Action: During our review, the IRS updated the proposed governance directive to\ninclude higher level approval authority by the Deputy Commissioners. This ensures that the\nenterprise-proposed governance directive will cover the entire IRS organization. In addition, the\nIRS revised the directive to require that executive steering committees track project action items\nto completion.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 1: Work with other IRS executives to develop a complete and accurate\nmaster IT project list with formally approved and documented policies and procedures to\ncontinually update the portfolio. These procedures should include a standard set of IT terms that\nhave been approved and communicated to all IRS organizations.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Building on\n        work already completed, the IRS master IT project list will incorporate projects and\n        operational applications into the IRS portfolio. The IRS will use the governance process\n        to develop, approve, and communicate formal policies and procedures to continually\n        update the portfolio as well as a standard set of IT terms.\nRecommendation 2: Ensure that the proposed governance directive is approved and\ncommunicated through all levels of the IRS and work with IRS executives to require all IRS\norganizations to adhere to the Program Control and Process Management Division governance\nprocesses.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and will work\n        with executives from both the business and technology organizations to obtain approval\n        of the governance directive and to communicate guidance to foster enterprise-wide\n        adherence to the governance processes.\nRecommendation 3: Establish formal policies and procedures to ensure that the health\nassessment process is consistently applied and followed across all IRS organizations.\n\n6\n  Lack of Proper IRS Oversight of the Department of the Treasury HSPD\xe2\x80\x9312 Initiative Resulted in Misuse of\nFederal Government Resources (Reference Number 2008-20-030, dated December 14, 2007).\n7\n  The Electronic Fraud Detection System Redesign Failure Resulted in Fraudulent Returns and Refunds Not Being\nIdentified (Reference Number 2006-20-108, dated August 9, 2006) and Oversight of the Electronic Fraud Detection\nSystem Restoration Activities Has Improved, but Risks Remain (Reference Number 2007-20-052, dated\nMarch 29, 2007).\n                                                                                                       Page 8\n\x0c                 The Information Technology Enterprise Governance Structure\n                            Needs Further Process Improvements\n                                to Ensure Adequate Oversight\n\n\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It will issue a\n       directive and guidance and will conduct an enterprise-wide campaign of education and\n       sustained support for the control organizations to ensure consistency of the health\n       assessment process.\nRecommendation 4: Ensure that policies and procedures are developed or revised to require\ncontrol organizations to review all assigned major IT projects monthly and present projects to the\nappropriate governance board\xe2\x80\x99s attention when established thresholds are exceeded.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and will\n       develop a directive and guidance to ensure that all assigned major IT projects are\n       reviewed monthly by the appropriate control organizations and are presented to the\n       appropriate governance board\xe2\x80\x99s attention when established thresholds are exceeded.\n\n\n\n\n                                                                                           Page 9\n\x0c                 The Information Technology Enterprise Governance Structure\n                            Needs Further Process Improvements\n                                to Ensure Adequate Oversight\n\n\n                                                                                 Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS has established and is\nfollowing adequate internal controls to manage all IT investment projects within the new\nenterprise governance model in support of the IRS mission and goals. Due to the critical nature\nof this area, the Chief Information Officer asked the Treasury Inspector General for Tax\nAdministration to perform this audit. To accomplish the objective, we:\nI.     Determined whether the IRS developed a master list of all IT investment projects and a\n       reliable process to update the list on a regular basis.\n       A. Interviewed the Acting Director, Portfolio Estimation Delivery Services, to determine\n          the process for developing the master list.\n       B. Reviewed the completed master IT list.\nII.    Determined whether the Program Control and Process Management Division has applied\n       adequate oversight and authority to ensure that established program governance processes\n       are followed by all IRS organizations.\n       A. Interviewed the Director, Program Control and Process Management Division, to\n          determine the current status of the governance program.\n       B. Determined the areas, functions, and organizations within the IRS that have or have\n          not implemented the proposed governance processes.\nIII.   Determined whether adequate oversight and reporting was developed at each level of the\n       IRS organization to ensure compliance with the new enterprise governance structure.\n       A. Reviewed areas that have not developed a formal Program Management Office or\n          applied the new program governance process and procedures.\n       B. Reviewed areas that have developed a formal Program Management Office and\n          instituted mature program governance processes, controls, and procedures.\n       C. Tested the level of compliance with the health assessments.\nIV.    Determined whether the governing bodies (e.g., executive steering committees,\n       organization-level governance boards, and management-level governance boards)\n       followed approved policies, procedures, and templates outlined by the Program Control\n       and Process Management Division.\n\n\n\n                                                                                        Page 10\n\x0c                The Information Technology Enterprise Governance Structure\n                           Needs Further Process Improvements\n                               to Ensure Adequate Oversight\n\n\n       A. Determined whether established documents were being developed and delivered with\n          appropriate guidelines followed.\n       B. Determined whether the use of contractors for governance responsibilities is an\n          efficient use of resources for the IRS.\n\nHealth Assessment Sample Selection Methodology\nWe judgmentally selected a sample of 21 project health assessments from a population of\napproximately 598 projects involving 7 IRS organizations. According to the health assessment\nprocedures, each IT project team might not have to perform a monthly health assessment if the\nProgram Management Office does not require an assessment that month. Therefore, there is no\none-to-one relationship between the number of health assessments and the number of projects.\nWe judgmentally selected the sample because we were not going to project the results over the\nentire population. Figure 1 identifies the 7 organizations and the 21 projects we sampled.\n\n\n\n\n                                                                                        Page 11\n\x0c                     The Information Technology Enterprise Governance Structure\n                                Needs Further Process Improvements\n                                    to Ensure Adequate Oversight\n\n\n                           Figure 1: Health Assessment Project Sample\n\n                     Organization                         Health Assessment Project Name\n                                                     Correspondence Examination Automated\n                                                     System-Major-WINTEL\n                                                     Notice Print Processing\n                                                     Correspondence Imaging System Release 1\n Associate Chief Information Officer,                Operations and Maintenance\n Applications Development                            Correspondence Imaging System Release 2\n                                                     Milestone 4\n                                                     Business Master File Document Specific\n                                                     Interim Revenue Accounting Control System\n                                                     Project\n                                                     Document and Imaging Management\n Associate Chief Information Officer,                Enterprise Application Integration Broker\n Enterprise Services                                 New Portal Implementation Project Release 1.1\n                                                     Infrastructure Roadmap Initiative Phase III\n Associate Chief Information Officer,                Server Consolidation and Virtualization\n Enterprise Operations                               Tier 1 Encryption for Offsite Storage\n                                                     Tier 2 Encryption\n Small Business/Self-Employed Division               Expanded Compliance Data Warehouse\n                                                     Bankruptcy Law Advisory Rules Engine\n                                                     Form 94x to Service Center Recognition/Image\n                                                     Processing System\n                                                     Centralized Contact Center Forecasting and\n Wage and Investment Division\n                                                     Scheduling Release 1a\n                                                     Centralized Contact Center Forecasting and\n                                                     Scheduling Release 1b\n Tax Exempt and Government Entities                  Tax Exempt and Government Entities\n Division                                            Reporting and Electronic Examination System\n                                                     Issue Management System Integration\n Large and Mid-Size Business Division\n                                                     Decision Support and Data Capture\nSource: Individual IRS organization project lists.\n\n\n\n\n                                                                                           Page 12\n\x0c                The Information Technology Enterprise Governance Structure\n                           Needs Further Process Improvements\n                               to Ensure Adequate Oversight\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nPreston B. Benoit, Acting Assistant Inspector General for Audit (Information Systems Programs)\nScott A. Macfarlane, Director\nEdward A. Neuwirth, Audit Manager\nPhung-Son Nguyen, Audit Manager\nWallace Sims, Senior Auditor\nCharlene Elliston, Auditor\nSuzanne Noland, Auditor\nLinda Screws, Auditor\n\n\n\n\n                                                                                      Page 13\n\x0c               The Information Technology Enterprise Governance Structure\n                          Needs Further Process Improvements\n                              to Ensure Adequate Oversight\n\n\n                                                                         Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nCommissioner, Large and Mid-Size Business Division SE:LM\nCommissioner, Small Business/Self-Employed Division SE:S\nCommissioner, Tax Exempt and Government Entities Division SE:T\nCommissioner, Wage and Investment Division SE:W\nDeputy Chief Information Officer OS:CIO\nAssociate Chief Information Officer, Applications Development OS:CIO:AD\nAssociate Chief Information Officer, Enterprise Services OS:CIO:ES\nDirector, Stakeholder Management OS:CIO:SM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Large and Mid-Size Business Division SE:LM\n       Commissioner, Small Business/Self-Employed Division SE:S\n       Commissioner, Tax Exempt and Government Entities Division SE:T\n       Commissioner, Wage and Investment Division SE:W\n       Associate Chief Information Officer, Applications Development OS:CIO:AD\n       Associate Chief Information Officer, Enterprise Services OS:CIO:ES\n       Director, Program Oversight OS:CIO:SM:PO\n\n\n\n\n                                                                                 Page 14\n\x0c                The Information Technology Enterprise Governance Structure\n                           Needs Further Process Improvements\n                               to Ensure Adequate Oversight\n\n\n                                                                                Appendix IV\n\n                                Glossary of Terms\n\nAppeals Automated Environment        A major project that provides a fully integrated office\nProject                              automation environment and IT support to the IRS\n                                     Appeals function.\nBankruptcy Law Advisory Rules        A non-major project for web-based decision support\nEngine Project                       answering incoming calls from taxpayers by the\n                                     Centralized Insolvency site at the Philadelphia Campus.\nBusiness Master File                 The IRS database that consists of Federal tax-related\n                                     transactions and accounts for businesses. These include\n                                     employment taxes, income taxes on businesses, and excise\n                                     taxes.\nBusiness Master File Document        A major project that accounts for annual changes to\nSpecific Project                     Business Master File forms processing.\nCampus                               The data processing arm of the IRS. The campuses\n                                     process paper and electronic submissions, correct errors,\n                                     and forward data to the Computing Centers for analysis\n                                     and posting to taxpayer accounts.\nCentralized Contact Center           A non-major project for identifying and deploying\nForecasting and Scheduling Project   end-to-end workforce management solutions with\n                                     workforce planning functionality.\nCorrespondence Examination           A major project that will incrementally replace the Report\nAutomated System Project             Generation System Batch application with a web-based\n                                     environment. It will allow inventories to be managed at a\n                                     corporate level.\nCorrespondence Imaging System        A major project that captures images of correspondence\nProject                              from taxpayers that are intended to be worked by\n                                     Accounts Management organization employees.\n\n\n\n\n                                                                                         Page 15\n\x0c                 The Information Technology Enterprise Governance Structure\n                            Needs Further Process Improvements\n                                to Ensure Adequate Oversight\n\n\n\nCounsel Automated System             A major project that provides the automated tools that\nEnvironment Project                  Office of Chief Counsel employees require to accomplish\n                                     their official duties in the most cost-effective and efficient\n                                     manner. This project consists of a number of core\n                                     functions that have been implemented on a standard\n                                     hardware platform nationwide, integrating new and\n                                     existing systems.\nDecision Support and Data Capture    A non-major project that will develop a comprehensive set\nProject                              of tools and applications to extract and manage data from\n                                     paper documents for use in decision support, including\n                                     ranking, issue scoring, issue selection, workload selection\n                                     capabilities, and support case building, and provide\n                                     increased ability to share information.\nDocument and Imaging                 A non-major project that will develop enterprise\nManagement Project                   capabilities to guide Document Management projects.\nEnterprise Application Integration   A major project that is a main component of the IRS\nBroker Project                       Service Oriented Architecture that allows modernized\n                                     systems to use common infrastructure security and\n                                     application services to access and leverage systems and\n                                     data repositories across heterogeneous platforms.\nEnterprise Disk Encryption Project   A major project that provides encryption for IRS IT,\n                                     including desktop and laptop computers.\nExecutive Steering Committee         A committee that oversees investments, including\n                                     validating major investment business requirements and\n                                     ensuring that enabling technologies are defined,\n                                     developed, and implemented.\nExpanded Compliance Data             A non-major project that will improve existing workload\nWarehouse Project                    identification and prioritization, allowing the IRS to better\n                                     evaluate alternative treatments and ensure that cases\n                                     receive the most efficient and effective process.\nFiling Season                        The period from January through mid-April when most\n                                     individual income tax returns are filed.\nForm 94x to Service Center           A non-major project that will serve to improve the method\nRecognition/Image Processing         of processing paper form returns by migrating from a\nSystem Project                       labor-intensive, manual, transcription-based system to an\n                                     automated image-based system.\n\n\n                                                                                           Page 16\n\x0c                 The Information Technology Enterprise Governance Structure\n                            Needs Further Process Improvements\n                                to Ensure Adequate Oversight\n\n\n\nInfrastructure Roadmap Initiative   A non-major project that was initiated to acquire\nPhase III Project                   contractor expertise to support the continued effort of\n                                    evaluating the IRS IT infrastructure and investment\n                                    candidates while providing detailed descriptions of the\n                                    investment path and making regular recommendations of\n                                    investments for selection.\nInterim Revenue Accounting          A major project that records tax revenue due the Federal\nControl System Project              Government and maintains records of assessments,\n                                    collections, accounts receivable, refunds, overassessments,\n                                    and other elements of revenue accounting.\nIssue Management System             A non-major project with the goal of replacing the Exam\nIntegration Project                 Return Control System, which is an outdated inventory\n                                    control system, for the Large and Mid-Size Business\n                                    Division.\nMajor/Non-Major Projects            Department of the Treasury specific criteria state that\n                                    major IT investments (or projects) have an annual cost\n                                    equal to or greater than $5 million, or total lifecycle costs\n                                    exceeding $50 million. Projects not meeting these criteria\n                                    are considered non-major.\nMilestone                           Milestones provide for \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision points in a\n                                    project and are sometimes associated with funding\n                                    approval to proceed.\nNew Portal Implementation Project   A major project that delivers, in phased releases, an\n                                    infrastructure build-out to support existing and planned\n                                    applications available to internal and external users, such\n                                    as taxpayers, tax practitioners, and IRS employees.\nNotice Print Processing Project     A non-major project that supports all IRS notices and\n                                    letters that reside on the Print System.\nServer Consolidation and            A non-major project that consolidates the existing server\nVirtualization Project              environment, maximizing the use of all server sources\n                                    across the enterprise.\nTax Exempt and Government           A non-major project that will provide an automated\nEntities Reporting and Electronic   examination case management system, consolidate\nExamination System Project          multiple legacy systems, leverage existing income tax\n                                    solutions, and provide computation tools and statutory\n                                    compliance testing required by end users.\n\n                                                                                         Page 17\n\x0c                The Information Technology Enterprise Governance Structure\n                           Needs Further Process Improvements\n                               to Ensure Adequate Oversight\n\n\n\nTier 1 Encryption for Offsite   A non-major project that is designed to provide the ability\nStorage and Tier 2 Encryption   to encrypt information generated by IRS Tier 1 and Tier 2\nProject                         systems.\nTiered-Program Management       The structure includes 1) governance that refers to\nStructure                       assignment of IT projects to an executive oversight level\n                                and establishment of Program Management Offices to\n                                oversee projects and 2) control that refers to reviewing\n                                project performance through monthly assessments.\n\n\n\n\n                                                                                   Page 18\n\x0c                 The Information Technology Enterprise Governance Structure\n                            Needs Further Process Improvements\n                                to Ensure Adequate Oversight\n\n\n                                                                                 Appendix V\n\n                     Enterprise Governance Model\n\nThe enterprise governance model will account for all IT investment projects regardless of dollar\nvalue, including projects considered to support existing operations and maintenance activities.\nFigure 1 provides a schema of the new governance structure.\nThe following are the descriptions of the acronyms used in Figure 1 to describe the governing\nbodies:\nAWSS \xe2\x80\x93 Agency-Wide Shared Services\nC&L \xe2\x80\x93 Communications and Liaison\nCC \xe2\x80\x93 Office of Chief Counsel\nCFO \xe2\x80\x93 Chief Financial Officer\nCI \xe2\x80\x93 Criminal Investigation\nEEO \xe2\x80\x93 Equal Employment Opportunity and Diversity\nHCO \xe2\x80\x93 Human Capital Office\nLC \xe2\x80\x93 Life Cycle\nLMSB \xe2\x80\x93 Large and Mid-Size Business\nMA&SS \xe2\x80\x93 Mission Assurance and Security Services\nMEG \xe2\x80\x93 Modernization and Information Technology Services Enterprise Governance\nMgmt \xe2\x80\x93 Management\nMIM \xe2\x80\x93 MEG Investment Management\nMITS \xe2\x80\x93 Modernization and Information Technology Services\nMVS \xe2\x80\x93 Modernization, Vision, and Strategy\nOPR \xe2\x80\x93 Office of Professional Responsibility\nSBSE \xe2\x80\x93 Small Business/Self-Employed\nSOI/RAS \xe2\x80\x93 Statistics of Income/Research, Analysis, and Statistics\nSSMC \xe2\x80\x93 Service, Support, and Modernization\nTAS \xe2\x80\x93 Taxpayer Advocate Service\nTEGE \xe2\x80\x93 Tax Exempt and Government Entities\nW&I \xe2\x80\x93 Wage and Investment\n\n\n\n\n                                                                                         Page 19\n\x0c                      The Information Technology Enterprise Governance Structure\n                                 Needs Further Process Improvements\n                                     to Ensure Adequate Oversight\n\n\n                              Figure 1: Enterprise Governance Model\n\n\n\n\nSource: IRS Program Control and Process Management Division.\n\n\n\n\n                                                                            Page 20\n\x0c                   The Information Technology Enterprise Governance Structure\n                              Needs Further Process Improvements\n                                  to Ensure Adequate Oversight\n\n\n                                                                                              Appendix VI\n\n     Progress in Governance and Control Processes\n\nFigure 1 shows the progress the IRS has made in establishing Program Management Offices and\nperforming health assessments by the Associate Chief Information Officers and business\noperating divisions as of December 31, 2007.\n           Figure 1: Establishment of Governance and Control Processes\n\n                                     Governance and Control Process\n\n      Associate Chief Information Officers        Program Management Offices         Health Assessments\n\n           Applications Development                             Yes                           Yes\n\n       End User Equipment and Services                           No                            No\n\n               Enterprise Networks                               No                            No\n\n              Enterprise Operations                             Yes                           Yes\n\n               Enterprise Services                              Yes                           Yes\n\n                   Management                                    No                            No\n\n          Business Operating Divisions            Program Management Offices         Health Assessments\n          Large and Mid-Size Business                           Yes                         Partial*\n\n         Small Business/Self-Employed                           Yes                         Partial*\n\n     Tax Exempt and Government Entities                         Yes                         Partial*\n\n              Wage and Investment                               Yes                         Partial*\n\n  * An assessment was conducted, but the scope did not include all seven key process indicators.\n\n\n\n\n                                                                                                       Page 21\n\x0c                    The Information Technology Enterprise Governance Structure\n                               Needs Further Process Improvements\n                                   to Ensure Adequate Oversight\n\n\n\n\n                                       Governance and Control Process\n\n                 Offices                   Program Management Offices               Health Assessments\n\n    Agency-Wide Shared Services                          Yes                               No\n\n                Appeals                                  Yes                               No\n\n             Chief Counsel                               Yes                               No\n\n  Commissioner\xe2\x80\x99s Complex, Equal\n    Employment Opportunity and\n                                                         No                                No\n Diversity, and Office of Professional\n             Responsibility\n\n     Communications and Liaison                          No                                No\n\n        Criminal Investigation                           Yes                               No\n\n            Human Capital                                Yes                               No\n\n        Chief Financial Officer                          No                                No\n\n        Research, Analysis, and\n                                                         No                                No\n     Statistics/Statistics of Income\n      Taxpayer Advocate Service                          Yes                               No\n\nSource: Interviews of IRS staff and analysis of IT governance and control documentation.\n\n\n\n\n                                                                                                    Page 22\n\x0c    The Information Technology Enterprise Governance Structure\n               Needs Further Process Improvements\n                   to Ensure Adequate Oversight\n\n\n                                                  Appendix VII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 23\n\x0cThe Information Technology Enterprise Governance Structure\n           Needs Further Process Improvements\n               to Ensure Adequate Oversight\n\n\n\n\n                                                      Page 24\n\x0cThe Information Technology Enterprise Governance Structure\n           Needs Further Process Improvements\n               to Ensure Adequate Oversight\n\n\n\n\n                                                      Page 25\n\x0cThe Information Technology Enterprise Governance Structure\n           Needs Further Process Improvements\n               to Ensure Adequate Oversight\n\n\n\n\n                                                      Page 26\n\x0c'